Update slsa verification logic (#3010)

flutter/flutter#133376 Newer versions of slsa-verifier have updated the way they check for source uris, and automatically apply the logic we were applying to our script directly. This PR removes the logic of trying both `git+(url)` and `(url)` since it is done automatically now.
flutter · Aug 28, 2023 · 27ecaf6 · 27ecaf6
1 parent 36a179c
commit 27ecaf6
Showing 1 changed file with 3 additions and 25 deletions.
diff --git a/cloud_build/verify_provenance.sh b/cloud_build/verify_provenance.sh
@@ -3,12 +3,14 @@
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
+set -e
+
 # This script is used to verify provenance of our artifacts using slsa-verifier.
 # If slsa-verifier is unable to ensure the provenance of the artifact is
 # legitimate, then the script will exit with a non-zero exit code.
 PROVENANCE_PATH=$1
 BUILDER_ID=https://cloudbuild.googleapis.com/[email protected]
-SOURCE_URI=https://git+https://github.com/flutter/cocoon
+SOURCE_URI=github.com/flutter/cocoon
 
 # Download the jq binary in order to obtain the artifact registry url from the
 # docker image provenance.
@@ -39,27 +41,3 @@ slsa-verifier verify-image $FULLY_QUALIFIED_DIGEST \
   --source-uri $SOURCE_URI \
   --builder-id=$BUILDER_ID \
   --provenance-path $PROVENANCE_PATH
-
-# If the provenance failed, try again, but check for 'git+' in the source-uri
-# Context: Cloud Build is sometimes generating provenance with 'git+', but it
-# will eventually be generated for all builds.
-# TODO(drewroengoogle): Once the cloud build change is completely rolled out,
-# remove this logic and only check for 'git+'.
-COMMAND_RESULT=$?
-if [[ $COMMAND_RESULT -eq 0 ]]; then
-  echo "Provenance verified!" && exit $COMMAND_RESULT
-fi
-
-echo "Verifying the provenance is valid and correct..."
-echo "Checking for source-uri of git+$SOURCE_URI"
-slsa-verifier verify-image $FULLY_QUALIFIED_DIGEST \
-  --source-uri $SOURCE_URI \
-  --builder-id=$BUILDER_ID \
-  --provenance-path $PROVENANCE_PATH
-
-COMMAND_RESULT=$?
-if [[ $COMMAND_RESULT -eq 0 ]]; then
-  echo "Provenance verified!" && exit $COMMAND_RESULT
-fi
-
-echo "Failed to validate provenance." && exit $COMMAND_RESULT